No matter what sector you find yourself in, you will have likely heard the ‘G’ word being thrown about. The General Data Protection Regulation, or GDPR in simple terms, now forms an essential part of day-to-day operations.
Although the data protection rule came into full effect in 2018, it’s important to be aware of the GDPR terms and definitions to ensure you are always compliant. This is especially for organisations who send customer, employee and supplier communications that contain financial, personal and sensitive information. It’s also crucial if organisations work with third-party suppliers and need to know that they are GDPR compliant.
In order to help you brush up on your data protection knowledge, we’ve compiled a simple GDPR glossary of terms and definitions.
This blog will also cover:
- What is GDPR?
- A brief history of GDPR
- Why is it important to understand GDPR and its terminology?
- Who is applies to
What is GDPR?
GDPR is an EU data protection rule that limits what organisations can do with personal data and facilitates how people access information about themselves.
A brief history of GDPR
GDPR first came into fruition in 2016, after more than four years of discussions and debate, it successfully passed through the European Parliament. However, it was not until May 25th of 2018 that organisations were required to be compliant with this new law.
The EU sought to harmonise data privacy laws across member countries, as well as enhance the protection and rights of EU residents. It’s considered to be the world’s strongest set of data protection rules and the regulation acts as a framework of laws across the European continent.
However, countries were also given some flexibility as they could make small changes to suit their unique requirements. In the UK, this resulted in the creation of the Data Protection Act 2018 which consequently replaced the previous 1998 Data Protection Act.
The importance of understanding GDPR and its terms
It’s important to have a grasp of the GDPR terms and definitions if customer data plays an integral part in the day-to-day operations of your organisation. This applies even more so to organisations that send communications to customers, employees, or suppliers that contain financial, personal and sensitive information.
You have a duty to protect the data you collect, distribute, and store. These documents can contain personal and sensitive information, such as bank details and medical information. Similarly, if you work with any third-party suppliers, they must be GDPR compliant.
Who does GDPR apply to?
The GDPR terms apply to any company or entity that processes personal data from an EU branch, regardless of where the data is processed. It also applies to any companies established outside of the EU that monitors behaviour and provides goods or services to EU citizens.
Even though the UK is no longer part of the EU, the UK Data Protection Act 2018 adheres to most of the GDPR rules and if you conduct business in the EU then you have to still follow the GDPR rules, so it’s best practice to fully understand the GDPR terms.
Both the private sector and public sector must abide by the data protection law, however, there are some differences in the way the GDPR terms are applied.
Private sector
The UK GDPR applies to both controllers and processors of data. The former determines the purpose and means behind the processing of personal data, whilst the latter is responsible for processing the data for the controller.
If you are an organisation that processes personal data relating to EU residents, you will need to comply with GDPR. However, if your organisation does not focus on the processing of data, and there is no risk for individuals, some of the GDPR obligations will not apply, for example, the appointment of a Data Protection Officer.
Public sector
Just like the private sector, public bodies, including public administrations and governments, fall under the scope of GDPR. The moment public entities collect or process any personal data relating to EU residents, such as health records, tax information, or IP addresses, they are required to comply with GDPR terms.
One of the main differences of GDPR compliance between private and public sectors is that all public organisations must appoint a Data Protection Officer. This individual is then responsible for monitoring compliance, implementing a data governance framework, and liaising with the data protection authorities.
GDPR terms and definitions
Cyber Security – the protection of systems, networks and data in an online environment.
Data Controller – the organisation/person, responsible for making decisions about what happens to personal data, determining the purposes and means of processing.
Data Processor – a third-party organisation/vendor/person that is responsible for processing personal data on behalf of a Data Controller. Typically, software companies, hosting providers and printers for example. They deal with and store personal information in accordance with instructions by the Data Controller.
Data Protection Officer (DPO) – a data security expert who helps Data Controllers and Processors comply with GDPR, avoid risks when processing personal data and if needed report data breaches to the Information Commissioner’s Office (ICO).
Data Sharing Agreements – a formal contract between Data Controllers and Processors (or Processors and Sub-Processors) that clearly states what data is being shared and how the data can be used.
Data Subject – a person that personal data refers to.
Data Sub-Processor – where a Processor engages another Processor to complete the service they are providing to the Data Controller. The Data Controller must provide written authorisation to its Processor, agreeing to the use of the Sub-Processor.
Right To Access – individuals have the right to access their personal data and know how the data is used after it has been stored. If requested, companies must provide individuals with a free copy of their personal data in an electronic format.
Right To Data Portability – individuals have the right to request a data transfer from one provider to another in a commonly used and readable format.
Right To Erasure – also known as the right to be forgotten, if individuals are no longer customers, they are in their right to withdraw their consent and have their data deleted.
Personal Data – Any information that can be used to directly, or indirectly, identify a person (Data Subject). For example, name, address, email address, last four digits of credit card, and IP address.
Sensitive Personal Data – There are special categories of personal data that are considered sensitive and include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data when processed to uniquely identify an individual.
Supervisory Authority – Any local, national, or multinational organisation/agency responsible for administering Data Protection Laws. For example, in the UK this would be the ICO.
Final thoughts
With the advent of smartphones, innovations in mobile networks, and rapid consumption of data, technology is evolving. As technology evolves, so does the speed at which data is produced, stored, and used.
The GDPR guidelines inform organisations about what they can and can’t do with the information whilst providing users more clarity on how their data is being used.
It’s vital that organisations, both in the public and private sector, protect the data of EU residents to the best of their ability. However, without the correct knowledge and understanding of the GDPR terms, it’s difficult to know if you are compliant.
At Datagraphic, we place data security at the core of everything we do. That’s why we’re ISO 27001 certified, GDPR compliant and place special emphasis on the importance of information security and document security.
If you’d like to find out more about GDPR or need some more advice, please get in touch.